cryptostorm's community forum

Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

So I found it interesting that IVPN put up privacy guides for their users. In one of the guides (https://www.ivpn.net/privacy-guides/18- ... e-provider) they include their 10 questions to ask your VPN provider. I am curious, what would you add to the list or how would you modify it. I will paste the recommended questions below.

Is there a monthly bandwidth-usage limit?
Do you throttle connections that use excessive bandwidth?
How many concurrent connections are allowed per account?
How many hops are there in your VPN connections?
What type(s) of VPN encryption do you use? Why?
Do you support perfect forward secrecy? If so, how?
Do you provide users with Diffie Hellman key files?
How do you authenticate clients – certificates/keys, or usernames/passwords?
Do you employ HMAC-Based TLS Authentication? If so, why?
Do you ever email usernames and passwords to customers?
Does each customer have a unique client certificate and key?
Are your VPN gateway servers hosted, co-located or in-house?
Are any of your VPN gateway servers running on VPS or cloud servers?
How are your VPN gateway servers protected?
Where is user account information stored?
How is communication between servers secured?
Do you allow port forwarding by users?
Are all client ports ever forwarded by default? If so, on which servers?

I'm not staff but I'll try to answer as many of these questions as I can.

1. Is there a monthly bandwidth-usage limit?
No.

2. Do you throttle connections that use excessive bandwidth?
See 1.

3. How many concurrent connections are allowed per account?
<unknown>

4. How many hops are there in your VPN connections?
One, until the voodoo nodes come online.

5. What type(s) of VPN encryption do you use? Why?
AES-256-CBC with SHA-512 HMAC. Strongest combination currently available for OpenVPN.

6. Do you support perfect forward secrecy? If so, how?
Yes, through the use of ephemeral keys.

7. Do you provide users with Diffie Hellman key files?
If you mean client-side keys, no. Does not fit the security model.

8. How do you authenticate clients – certificates/keys, or usernames/passwords?
In the Cryptostorm security model, clients are not authenticated as such. The password is a default password used by everyone, so the only differentiator which is used to provide access to the network is the hashed token. Think of it as buying a postage stamp, lottery ticket, or train ticket - in cash. The token is your ticket to use the system, nothing more.

9. Do you employ HMAC-Based TLS Authentication? If so, why?
See 5, unless you mean additional key-based TLS authentication, to which the answer is no.

10. Do you ever email usernames and passwords to customers?
No, just tokens.

11. Does each customer have a unique client certificate and key?
No.

12. Are your VPN gateway servers hosted, co-located or in-house?
Hosted. In the real world (LEO) it makes absolutely no difference.

13. Are any of your VPN gateway servers running on VPS or cloud servers?
The core VPN nodes are running on bare metal. voodoo nodes will run on VPS instances, but they are no more than gateways to the core nodes, where all of the authentication is performed.

14. How are your VPN gateway servers protected?
Standard and non-standard security methods including firewalls, IDS/IPS and custom scripts, as well as custom compiled, grsecurity-hardened kernels.

15. Where is user account information stored?
There isn't any. Token hashes are stored in a database running on each exit node. Additionally, no IP logs are kept anywhere.

16. How is communication between servers secured?
I don't know for certain, but if it was me it would be a combination of firewalls and secure tunnels.

17. Do you allow port forwarding by users?
If you mean static port-forwarding for servers or BitTorrent clients/seedboxes, no.

18. Are all client ports ever forwarded by default? If so, on which servers?
All client-side ports (i.e. replies) are forwarded on all servers.

We don't do "user"-based network authentication; we make use of network access tokens to manage this process, and as such one token enables one concurrent network session. We have not become comfortable with the MiTM risks of multiple concurrent sessions in a security-intensive framework such as this.

I think the answer to the concurrent users question is out of date now, or merely incorrect. I can connect on my phone (through OpenVPN connect) and via my PC via the Widget at the same time with no issues on either device. Just to be clear, I'm connecting to two different servers.